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Abstract. In this paper we address the problem of large space consumption 
for protocols in the Bounded Retrieval Model (BRM), which require users to 
store large secret keys subject to adversarial leakage. We propose a method 
to derive keys for such protocols on-the-fly from weakly random private data 
(like text documents or photos, users keep on their disks anyway for non¬ 
cryptographic purposes) in such a way that no extra storage is needed. We 
prove that any leakage-resilient protocol (belonging to a certain, arguably 
quite broad class) when run with a key obtained this way retains a similar 
level of security as the original protocol had. Additionally, we guarantee 
privacy of the data the actual keys are derived from. That is, an adversary 
can hardly gain any knowledge about the private data except that he could 
otherwise obtain via leakage. Our reduction works in the Random Oracle 
model. 

As an important tool in the proof we use a newly established bound for 
min-entropy, which can be of independent interest. It may be viewed as 
an analogue of the chain rule - a weaker form of the well-known formula 
H(X|Y) = H(X, Y) — H(Y) for random variables X, Y, and Shannon en¬ 
tropy, which our result originates from. For min-entropy only a much more 
limited version of this relation is known to hold. Namely, the min-entropy 
of A' may decrease by up to the bitlength of Y when X is conditioned on 
Y, in short: Hoo(A|Y) > H oc> (A) — |Y|. In many cases this inequality does 
not offer tight bounds, and such significant entropy loss makes it inadequate 
for our particular application. In the quasi chain rule we propose, we inject 
some carefully crafted side information (spoiling knowledge) to show that 
with large probability the average min-entropy of X conditioned on both: Y 
and this side information can be almost lower bounded by the min-entropy 
of (A, Y) decreased by the min-entropy of Y conditioned on the side infor¬ 
mation. 
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Introduction 


1.1 Key derivation from sensitive data 

In this paper we make an attempt to adapt the problem of overcoming weak ex¬ 
pectations, which recently has attracted considerable attention in the cryptographic 
community [2,11,28], to yet another well-recognized setting - the Bounded Retrieval 
Model (BRM) [7,12]. Here, the term weak expectations refers to the (expected) 
chances of breaking a cryptosystem when an imperfect source of randomness is 
employed in places where uniformly random bits were supposed to be used. For 
instance, one can quantify security of a system with semi-random keys used instead 
of keys drawn from uniform distribution. What motivates such analysis is that the 
standard assumption about unlimited availability of truly random bits turns out to 
be overoptimistic in practice. On the other hand, cheap sources of weak randomness 
can be easily found “in nature”. Suffice it to mention physical sources or biometric 
data [4,9], which remain somewhat unpredictable for adversaries. 

In the conventional approach to cryptography, security of a scheme relies on pri¬ 
vacy of cryptographic keys. The dawn of so called side channel attacks has influenced 
this perspective significantly. There, an adversary may gain some partial knowledge 
about the secret keys, e.g., by measuring timings [19], power consumption [20], elec¬ 
tromagnetic radiation [24], or even sounds (acoustic cryptoanalysis) [15] emitted by 
a device a cryptographic protocol is implemented on. Leakage-resilient cryptosys¬ 
tems are meant to address attacks of this form and remain secure when the adversary 
is allowed to adaptively learn arbitrary functions of the secret keys subject to only 
one restriction - namely, the total length of information leaked in the process must 
not exceed a leakage bound A. There are in fact two slightly different models of 
leakage considered in the literature. The relative leakage allows A to be some frac¬ 
tion of the length of a secret key. In the absolute leakage setting, also known as the 
BRM [14], the parameter A is fixed in the first place, and then the length of a key 
may be chosen accordingly, depending on A, to achieve the desired level of security. 
It is important to note that this flexibility in increasing the key size does not af¬ 
fect other parameters possibly present in a BRM protocol, such as computation or 
communication complexity - these should only depend on a security parameter but 
not on A. 


Space-efficient BRM The leakage bound A and, consequently, the size of a key in 
the BRM are typically very large, the latter being of order of gigabytes. Although 
per-gigabyte storage cost is becoming lower every year, this downside of BRM pro¬ 
tocols may still be an issue, e.g., for many mobile devices with quite limited size of 
non-volatile memory available. When combined with the fact that keys used in these 
protocols are required to be sufficiently random, it means that computers running 
a BRM protocol are clogged with some huge blob of random and otherwise useless 
data. In the solution we propose, BRM keys can be derived on-the-fly (that is, it 
is not necessary to keep them on disk, and they may be computed when a relevant 
portion of the key is requested) from data a user want to store on his disk for any 
other reason. The private user data usable in this context may include: text docu¬ 
ments, photos, audio files, or other media. This may lessen the problem of wasted 
disk space however for a reduced space we trade in additional computations needed 
to determine BRM keys. 
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An issue that arises here is that such data, when viewed as a source of ran¬ 
domness, while being unpredictable, to a degree, for an adversary, is certainly not 
uniformly random (e.g., note that certain segments in some file formats may be 
fixed or come from a prescribed set of values). Here, the connection to the afore¬ 
mentioned problem of overcoming weak expectations and, which is related, key 
derivation, becomes apparent. 


Overcoming weak expectations A study of cryptographic applications that 
retain a comparable level of security when fed with weakly random sources instead 
of ones having uniform distributions was initiated by Barak et al. [2], There, the 
authors explore the idea of applying universal hash functions to key derivation. The 
renowned Leftover Hash Lemma (LHL) [17] states that families of such functions 
constitute good randomness extractors. Specifically, when applied to a source of 
min-entropy fc, an extractor of this form produces m bits which are 5-close (in terms 
of statistical distance) to uniform, as long as k > m + 21og (1/5). A key obtained 
this way can be then used in a cryptographic application. The min-entropy loss of 
magnitude 21og(l/5) may be unacceptably large in some situations but, as shown 
by Radhakrishnan and Ta-Shma [25], it cannot be prevented in general. However, as 
argued by the authors, there exists a wide range of applications where the entropy 
loss can be cut down by the factor of 2 for a price of some security loss in the 
application using non-uniform keys. This line of research was continued by Dodis 
and Yu [11]. 


Sensitive data Building a cryptographic protocol on top of randomness derived 
from private data bears an obvious risk of compromising that data. One can imagine 
an artificial protocol that simply publishes all accessible randomness. Also, a proto¬ 
col in the BRM does not necessarily guarantee protection of its key. Some fragments 
of a BRM key may be passed, as a part of normal operating procedure, to an honest 
party that did not possess the key in the first place. To give an example illustrating 
such a situation, one can conceive of an authentication protocol in the BRM, which 
itself appears to be folklore, based on Merkle tree [21]. There, a hash tree is built 
on an input BRM key and the resulting hash from the root is then forwarded to a 
verifier (say, a bank). This way a user can commit to his key which, in its entirety, 
is only stored on user’s side for efficiency reasons. On the other hand, the verifier 
may learn parts of the key when the user attempts to authenticate himself. In order 
to do that, the verifier demands to present hashes along some path of his choice in 
the Merkle tree. Such a path includes data from the initial BRM key and thus its 
fragment gets revealed to the verifier. 

Now, if a BRM key used in this protocol is obtained from data stored on disk 
then, clearly, the key derivation procedure should enjoy some kind of a one-wayness 
property. If the procedure does not hide its input then a dishonest verifier may at¬ 
tempt to recover the underlying data or, at least, he may gain some partial knowl¬ 
edge. In this paper, we aim at a solution that allows a user to protect his private and 
possibly sensitive data in this scenario. Namely, we require that an adversary can 
hardly learn anything more about the data except that he could otherwise achieve 
via leakage. 
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Overview of our solution Seemingly, the problem of extracting an almost ran¬ 
dom key from sufficiently random data can be easily solved, even in presence of 
leakage, using a well-known primitive - namely, an average-case strong randomness 
extractor. Its definition requires that for any two random variables X and / (where 
I can be viewed as side information about J, i.e., a leak) such that the (conditional) 
min-entropy of X given I (see (1) for a precise definition of conditional min-entropy) 
is high enough, then the output of the extractor Ext(X, R) is statistically close to 
uniform even given a short random seed R and the side information /, in short: 
(Ext(X, R), R, /) « (U, R, I). Dodis et al. [9] extend the LHL to show that univer¬ 
sal hash functions constitute good aveon-rage-case extractors retaining nearly the 
same parameters as in the original LHL. We also note that the definition of such 
extractors is enough to cover the privacy requirement in our particular application 
- if Ext(X, R) disclosed some information about private data X then by setting I to 
be this information we would produce a correlation between Ext(X, R) and I, thus 
violating the condition about Ext(X, R) being close to uniform and independent of 
I. Overall, randomness extractors allows us to cover the two main properties we 
aim at in this paper, i.e., the uniformity of keys and the privacy of underlying data. 
However, such a construction would be downright impractical. From the computa¬ 
tional point of view, extractors are not suited best to work on inputs as huge as in 
our application. Also, they are inherently non-local in the sense that each bit of an 
output should depend on almost every bit of an input. This means that in order to 
compute even a small portion of the derived key on demand using an extractor, one 
has to read and supply almost the whole input data which is not a viable option. 

To address the issue related to efficiency and locality, we propose a different way 
of deriving keys from private data. Our idea is quite straightforward - it boils down 
to splitting all the data into consecutive blocks of the same fixed length n (say, 
n = 4kB). A block could naturally correspond to the smallest allocation unit in a 
filesystem present on a user’s device. Then, we use hashing to extract randomness 
from blocks. The naive method to implement it would be computing hashes block by 
block. This approach, albeit simple, has a significant drawback. The only assumption 
we make about the input data is that its joint min-entropy is not too small (this 
measures the a priori knowledge of the adversary about the private data, before 
leakage is taken into account). We do not demand however that the randomness 
is equidistributed across all the blocks. Therefore, it may happen that even for 
high overall min-entropy, e.g., ^£n where £ is the number of blocks, there exist f/2 
blocks which, from the adversary’s point of view, are constant. Consequently, the 
corresponding parts of a derived key carry no randomness at all and are known to 
the adversary. 

We circumvent the problem caused by blocks with low min-entropy we increase 
the number of blocks a single block of a derived key depends on. That is, each hash 
is calculated by taking not one but d blocks of input. Additionally, we amplify the 
likelihood of the event that there is at least one high min-entropy block among 
the selected d-tuple. This step actually introduces a new flavor to the reasoning. 
Namely, we argue the assumption on joint min-entropy of the input blocks with 
large probability implies that there exists a large number of blocks each having 
high min-entropy. This statement may seem rather natural and intuitive yet it 
is somewhat tricky to prove. A related problem of extracting random blocks was 
considered before by Nisan and Zuckerman [23] and Alwen, Dodis, and Wichs [1]. 
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The fact that there should be plenty of sufficiently random blocks in the input 
allows us to pick d-tuples of block randomly. However, to recreate portions of the 
derived on-the-fly one would have to store the auxiliary randomness used to select 
those tuples, which may not be acceptable. Instead, we suggest employing dispersers 
- d-regular bipartite graphs with the property that any sufficiently large set of 
vertices on the left side is connected to almost all vertices on the right side. Every 
such a disperser induces a selection of d-tuples. 

Clearly, increasing the degree of regularity d of a disperser reduces locality of 
the key derivation method. This however comes as a trade-off. We use a simulation- 
based argument to prove that any protocol using the derived key can be simulated 
by a protocol operating on an original key with 0{ni/d) of additional leakage. 

1.2 Chain rule for min-entropy 

Since the beginning of formal treatment of cryptography most works have heav¬ 
ily relied on different flavours of entropy. Depending on the context, those no¬ 
tions are used to measure compressibility, unpredictability or uncertainty of out¬ 
comes of random processes. In his seminal work Shannon applied the simplest, 
compressibility notion of entropy (called after his name), i.e., the one defined by 
H(X) = f log Pr ( x=x) P rove that in a perfectly secure symmetric key encryp¬ 
tion scheme the length of the key is necessarily as large as the length of the message. 
The notion which turned out to be even more useful in the area of cryptography is 
min-entropy defined by the formula H oc (X) = f — log(max x Pr(X = x)) and encom¬ 
passing unpredictability properties of a random variable X. 

Conditional entropy Shannon’s entropy possesses a natural generalization to its 
conditional version H(X| Y) which satisfies the formula H(X, Y) = H(X|Y)+H(Y). 
This corresponds to an intuitive interpretation stating that the information con¬ 
tained in (X, Y ) consists of the information in Y extended by the conditional infor¬ 
mation in X given Y. Dodis et al. [9] provided an analogous notion for min-entropy. 
Namely, for two random variables X, Y the conditional min-entropy Hoo(X|Y) is 
given by the formula: 



(1) 


This definition turns out to preserve the natural interpretation of min-entropy as 
maximal probability of success in guessing X given Y , i.e., for any algorithm A we 
have: 


Pr(.A(Y) = X) = E y Pr(A(y) = X) < ’E. y 2~ Hao ^ Y ~ y ^ = 2~ II ^ xlY '> 


Regrettably, the above definition possesses serious drawbacks explained in the 
following example. 

Example 1 (Cross distribution). Let A" = (Xi,X 2 ) £ ({0,1}") 2 be a random vari¬ 
able distributed uniformly over ’’the cross 11 , i.e., a set {0,1}” x e U e x {0,1}” for 
some fixed e £ {0,1}™. Note that, we have H 0 O (Xi,X 2 ) = — log 2 „ + 1 1 _ 1 £ [n ,n + 1] 

and H oc (Xi) = — log 9n +i_ 1 < 1 and therefore, the sum property does not hold 
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without any further assumptions or conditions. Moreover, H qo (A 2 |Ai) < H 00 (X 2 ) 
and therefore H 00 (X 2 |Xi) + H oc (Xi) < 2 which consequently means that the most 
natural chain rule does not hold either. 

The authors also prove the following result. 

Lemma 1 (Lemma 2.2 in [9]). Let X,Y,Z be random variables. Then 

a) For eny S > 0, the conditional entropy H 00 (X|F = y) is at least H 00 (X|y) — 
log(l/<5) with probability at least 1 — 8 over the choice of y. 

b) IfY has at most 2 A possible values, thenH 00 (X\(Y, Z)) > H O0 ((X, Y)\Z) — A > 
Hoo(X|Z) - A. In particular, H^A'IT) > H^A", Y) - A > H 00 (A) - A. 

The above item b) of Lemma 1 is treated as chain rule for min-entropy. Its 
significant weakness is that the inequality does not depend on the random properties 
of Y but its actual size A. We illustrate this by a simple example. 

Example 2 (Two blocks almost half entropy). Let X,Y be two random variables 
distributed over {0,1}" with joint distribution of min-entropy H 00 (A”, Y) = n. 
Then, the above item b) gives us a trivial estimate H oc ,(A|y) > Ho a (X,Y)-\Y\ = 

0. 


Nevertheless, if we condition (A}, A 2 ) given in Example 1 with a random variable 
Hint defined by the formula 


Hint = i •<=> A'j = e, 

then the second variable A 3 _j has conditional min-entropy H oc ,(A 3 _i|Hint = i) = n. 
Therefore, there exists a certain additional “knowledge” Hint which allows us to 
extract almost whole min-entropy from the pair (Ai, A 2 ). Namely, the event 

H 00 (A 1 |Hint = i) +H 00 (A 2 |Hint = i) > H 0 O (A 1 , X 2 ) - 1 

holds with probability 1 over the choice of i. This suggests that the right way to 
obtain the chain rule is additional conditioning. Similar approach was used in certain 
different applications and is classically called spoiling knowledge. 

Remark 1. We believe that our results might find a meaningful application in the 
theory of extractors as we exhibit a certain (non-strict) block-wise structure of any 
distribution of high min-entropy (cf. proof of the Claim inside Corollary 2). Block- 
wise distributions are widely used in theory of extractors (see, e.g., [ 22 ]). 


Previous results concerning chain rule. Previous research concerning (or some¬ 
how related) to chain rule is not only mentioned in discussed above [9]. For example 
authors of [1] and [23] prove that random (sufficiently large) subtuple of some set 
of variables with high min-entropy must preserve some significant amount of this 
entropy. Our result can be viewed as a generalization of this fact since from our 
reasoning we get that some specific (not random) subtuple preserves some min- 
entropy. (see Corollary 2.) Moreover in [23] authors try to deal with the problem 
of chain rule for min-entropy but need to make big effort to get some complicated 
workaround since they do not have any quasi chain rule for min-entropy in hand. 
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Moreover, they show a simplified version of their result and give a short brief proof 
based on chain rule for Shannon entropy. 

Another important previous result is Lemma A.l (min-entropy split) from [5] 
(and also other variants from [8,27]). Here authors formulate a theorem that also 
can be viewed as a quasi chain rule. As an example compare with the following: 

Lemma 2 (Lemma 4.2 (Min-Entropy-Splitting Lemma) in [8]). Let e > 0 

and let Xq, Xi be random variables (over possibly different alphabets) with H^ c (A'oAi) > 
a. Then, there exists a binary random variable C over {0,1} such that H^ 0 (Ai_c , (7) > 
a/2. 

This is very interesting result that shows that it is possible to extract partial min- 
entropy from a pair of variables. However authors justify high min-entropy of just 
one viariable from the pair. In our result we get significantly more dealing with both 
variables at once. See Lemma 3 for details. 


2 Our contribution 

The results of the paper are twofold. 


Making BRM space efficient. In this paper, we give a new idea to overcome 
a problem with large space requirements in the BRM model. As a reminder: BRM 
uses huge private keys for purpose of leakage-resiliency. Here we describe an idea 
to derive secret key from private data (this could include text documents, videos, 
etc.). That content is supposed to have high enough min-entropy, however it raises 
a problem with privacy: we do not want to reveal any sensitive data outside. Our 
construction fulfills this expectation. So the private data remains undisclosed even 
if the entire derived key is compromised. 

The secret key is being computed on-the-fly from private data so that no extra 
memory is used to store the key. Access to the key is fast so one does need to read 
limited portion of private data to compute some part of the secret key. 

The main result shows that any cryptographic protocol from well defined and 
vast class (intuitively: game based protocols) is still secure if we use a key derived 
from private data in place of a random key. 


Chain rule through spoiling knowledge. The reasoning from Section 1.2 ex¬ 
hibits a pair of random variables X , E such that H oc (A|E = e) + |E = e) 3> 

Hoo(A) + Hoo(y) with probability 1 over the choice of e. Analogous simplified sit¬ 
uations were investigated by Bennett et al. [3] for collision entropy H 2 and utilized 
in privacy amplification. Furthermore, similar examples also exists for other Renyi 
entropies H a for a > 1 and were systematically analysed by Cachin in [6] in con¬ 
text of smooth entropy. Our methods substantially generalize “profiling” method of 
Cachin and Maurer and gives a precise spoiling knowledge sufficient to obtain chain 
rule for min-entropy. Our main result in this part of the paper is the following (see 
Lemma 3): 

Chain rule. Let X, Y be random variables. Then, there exists a function Hint(j/) £ 
{!,..., A'} for some K > 0 such that for any e > 0 and N = H 00 (X, Y) the 
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event: 


V yeHint- 1 (M H °°( X l y = y,Hint(F) = /i)+H oc (y|Hint(F) = h) > 


occurs with probability > 1 — I\ ■ 2 eN over the choice of h. 

As a corollary, we significantly generalize this result in order to obtain the chain 
rule for many variables (see Corollary 2) . To the best of our knowledge, prior to this 
work there was no efficient chain rule for min-entropy except Lemma 1 (see Dodis 
et al. [9] or Cachin and Maurer [6] for similar results for Renyi entropy). 

It is important to mention that in any cryptographic application supplementary 
side information appears to be beneficial for the adversary and therefore using 
Lemma 3 should facilitate any security proof requiring detailed treatment of min- 
entropy (cf. Remark after proof of Lemma 5). 

Usefulness of Chain rule. Our result seems to help to prove some facts that 
often look trivial at very first sight. The typical problem with proving such "obvious 
observations" comes from the fact that, in general, the chain rule for min-entropy 
is false. For example one may go through the proof of Lemma 5.2 from [5] to see 
how technical and delicate it is. We believe that using chain rule from this paper 
could significantly simplify reasonings like that. The reason for that is that our 
statement seems to work better then e.g. Lemma A.l (min-entropy split) from [5] 
that is key for proving Lemma 5.2. The technical cause for that raises from the fact 
that Brakerski et al. split somehow the min-entropy of a pair but do not have full 
control of min-entropy of one of the elements. That makes the proof much harder 
in one case. Our techniques tend to follow the ideas from [5] and make them more 
clean to use. 

Another good example for usefulness for our chain rule is Lemma 4 from this 
paper. Here we need the multivariate case of our result (Corollary 2) which was not 
considered in previous works at all. 

3 Preliminaries 

We assume the existence of a random oracle, i.e., perfectly random function T-L : {0,1}* —> 
{0,1}" which can be evaluated only by querying a certain oracle H . At the be¬ 
ginning, all values of T~L are uniformly distributed, in particular, unpredictable. 
Throughout the protocols operation, one can issue a query Tl (to) obtaining the 
value of H(m) and gaining no other information. 

In order to model leakage attacks, we introduce a restricted leakage oracle O n 
parametrized by a random variable D £ {0, 1 } I D ' I . A query 0°(f), consists of a 
function /: {0,1}I D I —> {0,1} A given as a Turing machine, and results in the value 
/(D). A leakage oracle O a -' H (also denoted by 0(3,'H)) is defined analogously but 
with leakage functions containing apart from ordinary operations a black-box access 
to a random oracle, which on an input x returns the value 7i(x). We say that the 
total leakage is of at most A bits if the sum X t for all issued /,;: {0, 1}I ID) I — y 
{0, 1} A; is bounded by A. 

We denote by the class of all probabilistic Turing machines equipped 

with an adaptive access to a restricted leakage oracle O with total leakage of at most 
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A bits. Moreover, by we mean the subclass of TM^ M * equipped with 

an adaptive access to a leakage oracle O a ' n together with additional q executions 

of n. 

We say that a function / is "A-randomized (or simply randomized if no confusion 
can arise) if it is result is dependent on a certain random oracle TL . We denote a 
A-randomized function by f(—,TL). 


4 Chain rule for min-entropy 

4.1 Bivariate case 


We first prove the following case for two random variables. 


Lemma 3. Let X andY be two (possibly dependent) random variables. Then, there 
exists a function Hint(y) £ {1,..., A'} for some K > 0 such that for any e > 0 and 
N = H co (X, Y) the event: 

V y£ Hi„t-MM H oo(X|F = t/,Hint(F) = / l )+H 00 (y|Hint(F) = /i) > (l-e-^-N 
occurs with probability > 1 — K ■ 2~ eN over the choice of h. 


Proof. We begin with two straightforward facts concerning min-entropy. Firstly, 
observe that for any random variable Z and an event E the conditional min-entropy 

H^ZIE) =min{—log (Pr(Z = z\E))} 

Z 


satisfies the inequality Hoc (if | E) > Ho 0 (Z) — log Vp r (_E). 

Secondly, using the formula for conditional probability we see that 


Pr(X = x\Y = y) 


Pr(X = x,Y = y) ^ 2- n ^ X ’ Y '> 
Pr(F = y) - Pr(y = y) ’ 


which means that 


Pr(F = y)< 


2-h oo(X,Y) 

max x Pr(X = x\Y = y) 


2 -H 00 (Jf,y)+H 0 c ,(X|V=y) 


This consequently implies that H oc (y) > H^X, Y) - max, H oc (X | Y = y). 

We now proceed to the proof of Lemma 3. We define a function Hint by the 
condition: 

Hintfo) = * «=► Hoo(X\Y = y)£ [*^N, ^ N ], 

where N denotes the min-entropy ( X , Y) (we disregard the boundary cases). 

By the definition of Hint we see that 

V yeH i„t-MqH 00 (X|Hint = i,Y = y) > ^N. (2) 







Moreover, using both of the above general observations, we get that 


Hoc(M[Hint = i)> H 00 (X, F|Hint = i) - N > N — -^N - log 1 /pr(Hint= l )- 
By summing (2) and (4.1) up we obtain: 

V yeHint- 1 (i) Ho °( X l Hint = h Y = V) + H 00 (F|Hint = i) > N - ^ - log Vpr(Hint=i)- 

Now observe that for all values i of Hint that satisfy Pr(Hint = i) > 2~ eN we have: 

N 1 

'^i/eHint- 1 (i) H c»(X|Hint = i,Y = y)+H 0O (y|Hint = i) > N- — -eN = (1 - — -e)-N. 

There are at most K other values of Hint which consequently occurs with probability 
smaller than K ■ 2~ sN . This finishes the proof. □ 

Remark 2. For the sake of brevity, from now on we omit the V quantifier and write 
I ioo(X-, Y = y, Hint = h) to denote the fact that y is consistent with the value h of 
a random variable Hint = Hint(y). Then, with the same assumptions as above, we 
have 1 : 


H 00 (X|F;Hint = /i)+H 00 (r|Hint = /i) > (l - £ — ^ • U^X, Y) (3) 

HoopqHint = h,E)+ Hoo^lHint = h) > (l - s - -Hoopf.y) (4) 

for any event E depending only on Y with probability > 1 — K ■ 2~ eN over the 
choice of h. This follows from averaging over the choice of y. Note that the subtlety 
of definition of conditional min-entropy given in [9] is not relevant as the formula 
(4.1) works for any y such that Hint(y) = h. 

As corollaries we obtain: 

Corollary 1. Let X,Y be random variables satisfying H co (X, V) = mn. For every 
deN such that there exists a random variable Hint such that: 

H 00 (A|y = t/,Hint = h) + H 00 (y|Hint = h) > (m — 2 A)n 

occurs with probability > 1 — 2 _ ( zira_lo s m ) over the choice of h. 

Proof. Apply Lemma 3 for e = ^ and K = \^~\. 


4.2 Multivariate case 

Moreover, by more involved inductive considerations we obtain: 

1 By Hao(A'|y;Hint = h) we mean the conditional min-entropy H 00 (A|y) computed 
with respect to the distribution conditioned on the event Hint = h 
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Corollary 2. Let X -[...., Xu be random variables satisfying H 00 (A”i,..., Xf) = si 
for some s > 0. Then, for any D > 0 there exists a random variable Hint such that 


E Hoo (Ai| Hint = h, Ef) > s£{ 1 - 


(5) 


1 <!<< 


with probability 1 — 2 D£{£ — 1) • 2 2 r> over t/ie choice of h, where Ei are events 
depending on Hint and variables with smaller indices, i.e., Ai, ... ,Xi. 


Proof. We prove the following claim by descending induction with respect to k. 


Claim. For any k £ [1,^] there exists a random variable Hintfc such that: 



k+l<i<( 


with probability l-2D£(£—k)-2~ even if we additionally condition Hoc (Afc +m ; Hintfc = 

i) for to > 0 with any event Ek +m depending solely on Hintfc and variables with 
smaller indices, i.e., X\,... ,Xk+ m -i- 


Proof (Proof of the claim). The base case k = £ is just the assumption H oc (Ai,..., Xe) = 
si for an empty variable Hint^ (note that there is no additional assumption on fur¬ 
ther conditioning). Now, assume that the claim is true for some k > 1 and that 


Hoo(A'i,..., Afc|Hintfc = i) = CiS , 


for some 0 < Cj < £. By Lemma 3 applied for e = A = 2 D\cf\, X = Afc, 

and Y = (Ai,..., Afc_i) conditioned on Hintfc = i we obtain a random variable H^ 
such that 
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for any event E depending on Y with probability 1 — 2D [c,] • 2 20 > 1 — 2 Dl • 2 20 
over the choice of h!. We now set Hintfc_i = (Hintfc,H^ intfc ) and compute that 

H 00 (Xi,...,X fc _i|Hint fc _i = {Kg)) + Hoo^lHint*-! = (h, g))) > 

k<i<l 

Hoo (Y ; Hintfc_i = {Kg)) + H 0 O (X' fc |Hintfc_i = {Kg)) + ^ ^(XjlHint*-! = {Kg)) > 

k+l<i<£ 

( 8 ) 

H 00 (X 1 ,...,X fe |Hint fc = h) - H^XjlHintfc.i = {h, g)) > 

k+l<i<£ 

(9) 

H 00 (A'i,...,X fc |Hint fc = h) - ^ ^(XjlHintfc = h) > 

k+l<i<£ 

( 10 ) 


> a{£ 


t — k+l 
D 


) 


with probability 

> ( 1-2 Dl{t-k) •2"5%)(l-2 J D£-2-5%) > 1 - 2 ^-fc + l) • 2 " 

where in ( 8 ) we used the definition of Y, in (9) we applied the formula (7) and 
in (10) we removed additional conditioning on event H{' Iilltfc = g which depends 
only on variables with smaller indices (induction step) and is therefore harmless (cf. 
hypothesis of the claim). The inductive claim concerning additional conditioning 
follows along the same lines (just by adding further events in min-entropies), but is 
a bit cumbersome to state succinctly. 

Our corollary follows from the claim for k = 1 and the inequality < 1, i.e., the 
expected Hint equals Hinti. 

Remark 3. The proof above shows that the size of Hint is in fact polynomial in l 
and D. 


We now state an elementary proposition which allows us to obtain a certain 
bound on the number of high min-entropy blocks given (Xi ,..., Xf) > (3£n for 

P<1. 


Proposition 1 . Let aq,... ,aq be a sequence of numbers satisfying 0 < Xi < n and 
x\ + ■ ■ • + Xi = pin for some 0 < f) < 1. Then, for any 0 < J < P there are more 
than Lff^J numbers aq such that 27 > 7 n. 

A proof of this fact appears in Appendix C. As a corollary we obtain: 


Corollary 3 (High min-entropy blocks). Let X\,...,X 1 be random variables 
distributed over {0,l} ra and satisfying H oc (Ai,..., Xf) > pin. Then, for any D 
and 7 < P{\ — j=j) there exists a random variable Hint such that with probability 


1 — 2 Dl{l — 1) • 2 2 d the number of blocks Xi satisfying H oc (Ai|Hint = h) > 771 is 


greater than [_ 


1-7 


l\. In particular, for D = 2 and 7 = j we obtain that there 
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exists a random variable Hint such that with probability 1 — 4 t(l — 1) • 2 ^ there 
exists > LxJ blocks of min-entropy H cx) (Xj|Hint = h) > 

Proof. For the general case, we consequently use Corollary 2 and Proposition 1. We 
obtain the special case by direct specialization. 

5 Key derivation procedure based on sensitive data 

In this chapter, we define formally a class of protocols whose security can be ex¬ 
pressed in terms of a game with a certain probability of success. Consequently, we 
define two properties, security and privacy, of a randomised transformation function 
kdp(— ,H) which makes it suitable for derivation of keys from sensitive disk data. 

5.1 Security games 

Definition 1 (Security game). Let I\ be a random variable. A security game 

against an adversary A based on randomness K is a tuple Game = (C, KeyGen, Setup Ch , Setup Adv , Execute) 

consisting of an interactive algorithm C together with a randomized key generation 

procedure KeyGen. a pair of setup procedures Setup ch . Setup Adv and an execution 

procedure Execute which given an interactive algorithm A operates as described in 

Fig. 1 below. 


Execution procedure Execute of Game = (C, KeyGen, Setup ch , Setup Adv ). 

1. The key is initialized by key <— KeyGen(if) and then the input tapes of A and 
C are set to Setup Adv (key) and Setup ch (key) respectively. 

Execution phase: 

2. The following loop is conducted: 


Algorithm 1: Main loop 

1 msg^ = _L /* first message is empty 

*/ 

2 while statec ^ (Accept,Reject} do 


3 

A : (states,msg^) (stated,msg c ) 


4 

C : (statec,msg c ) (state'c,msg A ) 


5 end 



3. When C transits to either Accept or Reject the execution terminates. 
Output: The final state state d € (Accept, Reject} of the challenger C. 


Fig. 1. Execution procedure 


In lines 3 and 4 °f the Main Loop we used the notation B : (state,msg) -w 
(state',msg') which indicates that the interactive machines B resumes in state 
state given an input message msg and transits to state state' with an output 
message msg'. Given all the parameters, we denote the execution of the game by 
Game[_4 C,key «— KeyGen(iC)]. 
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Intuitively, the operation of Game[„4 *=? C,key •<— KeyGen(AT)] boils down to an 
adaptive, sequential (numbered by round) exchange of messages between interac¬ 
tive machines A and C initialized by the values Setup Adv (key) and Setup Ch (key) 
respectively, which ends up in the last state of the algorithm C. 

Remark 4 (Complexity). We can require that C or A belong to a certain complexity 
class TM which might be characterized by number of Turing machine steps allowed 
to be taken, access to some oracle O (e.g., hash, leakage) or a memory bound. For 
example, to describe an adversary which works in time polynomial in the size of 
the key key and can access leakage oracle 0{ key) with a leakage bound A, we write 
that A £ TM^ key ^(poly(|key|). While computing any kind of complexity (e.g. 
time, storage, leakage), as a final result we consider the total amount of resources 
used during all transitions conducted (cf., e.g., line 3 and 4 above) in an interactive 
algorithm. In particular, an adversary A belongs to TM^ tay ' if the total amount 
of leakage obtained during all transitions of A does not exceed A bits. 

Remark 5 (Relation to classical Interactive Turing Machines). In fact the definition 
given above is a RAM-based analogue of interactive Turing machines. We resigned 
from the formal approach based on common input tapes assumption in order to 
emphasize the sequential nature of the computation, which we shall exploit in the 
upcoming considerations. 

The above security game is tailored to cover a broad range of security defini¬ 
tions of various cryptographic protocols. We now state the description of a class of 
cryptographic protocols whose security is grasped through game-based definition. 

Definition 2 (Game security). We say that Game = (C, KeyGen, Setup ch , Setup Adv , Execute) 

based on randomness K is (e, TM) -secure iff for every A £ TM the probability that 
execution ends in Accept satisfies 

Pr(Game[A C, key y- KeyGen(AT)] = Accept) ^ e, 

where the probability is taken over K and all random choices of C and A. 

Example 3. The vast majority of cryptographic protocols are covered by the above 
game-based definition. Good example is identification scheme in BRM from [1]. 

Another protocol that fits the definition is described in the introduction standard 
Merkle-tree authentication protocol. 

Note, that the notation e for the security parameter might be confusing as we 
do not distinguish the case of unpredictability and indistinguishability applications 
(see [10] for precise definitions), i.e., the security definition above covers the case of 
e~0 and e w 

5.2 Security and privacy of key derivation functions 

After describing what security games are, we are ready to formulate precise def¬ 
initions for intuitive requirements of privacy and security that we impose on our 
key-derivation procedure. From now on, D is a random variable representing disk 
data, A denotes the number of bits adversary can leak, N is the maximal value of 
min-entropy of disk data and p is the ratio of actual min-entropy Hq^D) and N. 
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Definition 3 (privacy of a key-derivation procedure). We say that a ran¬ 
domized function kdp(— ,7~L) : {0, 1} jY — > {0,1} M is (p, A, A\, q,s)-private if there 
exists a simulator S £ such that for every random variable D £ {0,1}^ 

of min-entropy H 0 0 (D) > pN and every adversary A £ operating on 

key = kdp(D,'H), the output distributions satisfy: 

(Output(Al(key)), D) « E ( Output (S(„4)), D). 

The privacy definition tracks down the amount of additional leakage A\ that 
is necessary to constructor S capable of simulating the behaviour of any adversary 
A x ’ operating on the key generated by the dispersing procedure. Observe that 

any algorithm Al(key) £ TM A ? (cf. Section 3 for the formal specification of 
this complexity class) is provided with access to an oracle 7i, i.e., can test values 
of a random function, and moreover issues a sequence of leakage queries 0 D ' n (fi), 
which may also depend on the random oracle 71, i.e., can learn some information 
concerning D depending on the same random function 7~L. 

Definition 4 (Security of a key-derivation procedure). We say that a ran¬ 
domized function kdp(— ,71) : {0,1}^ — > {0,1} M is (p, A, A\, q,s)-secure if for any 
(s', TM^ key ^ )-secure game Game = (C, id, Setup ch , Setup Adv , Execute) 2 for random¬ 
ness K £- Un, the game GameDisk = (C, kdp(D, 7i), Setup Ch , Setup Adv , Execute) 
based on randomness (D,7-L) is (s' + e, TM A i d ^|’ W ) -secure. 

The general aim of the security definition is to grasp the intuitive expectation 
that the an adversary playing against key derived from sensitive data should not 
gain any advantage comparing to the case of using a redundant, truly random key. 
Note that it suffices to give A the access to key = kdp (D,7~L) as the transcript of 
any scheme’s execution can be generated based on key. 


6 Disperse as a key derivation procedure 

6.1 Disperse graph 

Throughout the whole construction we shall make use of bipartite right M- regular 
graphs identified with functions a : [Ni] x [M] —> [TVq] by the following recipe. By 
we denote a bipartite graph Q with the sets of vertices equal to two disjoint sets 
[iVo], [iVi] and with edges going from n £ [A^] to er^ £ [_/V 0 ] for any m £ [M], The 
following definition is crucial: 

Definition 5. A bipartite graph Q = (k° U y 1 , T?) is a right (K,L)~ disperser if for 
every set S C V 1 such that IS) = K the neighbourhood N(S) satisfies 

\n(S)\>l, 

i.e. the sets of size K expands into sets of size at least L. 

2 for detailed description of Game see Definition 1 
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We often make use of explicit £'“-regular (£ e , (1 — 77 )^-dispersers. We implicitly 
assume that the numbers d, e satisfy d < 1, e < 1 and d + e > 1. For more details 
on dispersers and further definitions see Appendix B. 

In the Fig. 2, we describe function Disperse explicitly. For the sake of simplic¬ 
ity, we identify vertices of graph with labels they contain. An exemplary Disperse 
function is shown in Fig. 3. 


Implementation of Disperse^ (D, TL). 

Input: a bitstring D = D 1 ... for Di ,..., D e £ {0,1}"; Q a a d-regular biparite 
graph (D U D', E), where D = (Di ,..., D/f) and D' = (D [,..., D'f), such that 
jV(D') = {D ai ,.. -,D a i d }-, function H: {0,1}^+^ _> {0, l} n 
Output: a bitstring D'. 

Execution: 

1. Assign values to the "upper" vertices of Q a : 

D'i (i, D a i,. .., for i = 1,... 

2. Return D' = D[,, D\. 


Fig. 2. Operation of dispersion function. 




Fig. 3. An exemplary Disperse^ (D, TT) 

We now state our main result that for an appropriately chosen graph Q a the 
function Disperse^ is in fact private and secure for reasonable parameters. 

Theorem 1. Let Q a be a £ d -regular (£ e , (1 — rf)£)-right disperser and TL a random 
oracle. Then for any j3 satisfying p — > /3 > 477 the function Disperse^ (—, TL) : 

{ 0,1 Y n { 0,1 Y n is: 

— (p, A, A\ = t e (\ogq + logf), q = 2°( {1 e ) n , 0(£ 2 ■ 2~^~))-private 

— (p, A, A\ = £ e (\ogq + n), q = 2°^ e = 0(£ 2 ■ 2~J~))-secure. 

Since the proof of this theorem is long, it is divided into three parts - at the 
beginning it is shown that even under the presence of leakage, function Disperse 
effectively hides the data underneath; then, basing on this result, privacy property 
is proven; next security is shown. At the end, we also shortly elaborate about the 
efficiency of Disperse^. 

Before proceeding to actual proofs we shortly elaborate about the bounds on 
the parameters. 
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Remark 6 (Efficiency of Disperse^). It is important to note that in order to obtain 
a single bit of a derived key one need process £ d blocks of disk data. This therefore 
constitutes a leakage-time trade-off for the operation of our function. Namely re¬ 
duction of d allows to compute a single bit of key more efficiently with a cost of an 
increased parameter A\ proportional to £ e (recall that d + e > 1). 

Remark 1 (Bounds on parameters). The bounds p — > (3, resp. (3 > Ag express 

natural requirements that leakage ratio should not exceed the actual ratio p, resp. 
the quality of disperser 77 should be superior to the entropy reserve represented by 
p — j~. The bound on q = 2°^ corresponds to a robust, exponential bound on 
the random oracle query-based complexity of an adversary. 

6.2 One-wayness of Disperse 

The Disperse procedure possesses a certain one-wayness property expressed in the 
following lemma. We precede it with a necessary definition. 

Definition 6 (Bad query). Given a random variable D, a bipartite right d-regular 
graph Q a and a random oracle R we say that a random oracle query R(b), submitted 
by some Turing Machine A, is bad if the argument b equals (i, D a ^D a ^ ... D a i ) for 
some i £ {1 i.e., the argument of random oracle query equals one of the 

values defined by graph Q a and a random variable D. 

By Bad .4 we denote the set of all bad queries. By indices^ we denote a list of all 
pairs (k, ik) of indices k £ { 1 ,..., q} and ij, £ such that k is the smallest 

index of a bad random oracle query of A which is equal to (ik, D i k ... D » fe ). Since 

a i a s 

the total number of queries is q and Q a has 21 vertices, we can describe the list 
indices^ using |indices^| • (log l + log q) bits. 

Lemma 4 (One-wayness of Disperse). Let Q a be a £ d -regular (£ e , (1 — rj)£)-right 
disperser and D = (Di,..., D() £ {0, l}' lC be a random variable of min-entropy 
pin. Then, the probability that an algorithm ^(Disperse^^ (D, R)) £ 
makes at least £ e different bad queries satisfies: 

Pr(|indices^| > £ e ) = 0(£ 2 ■ 2 ~^~) 

for any f3 satisfying p — > (3 > Ag and q = 2°^ °"> n . 

Proof. Due to technical nature the proof is deferred to Appendix A.2. 

6.3 Privacy of Disperse 

In this section we show that Disperse is in fact a private key-derivation procedure. 
The bottom line of the proof is an application of one-wayness together with a 
careful design of leakage query. It is important to note that we significantly use our 
computational model, where we can submit potentially non-polynomial queries. 

Theorem 2 (Privacy). Let Q a be a £ d -regular (£ e ,(l — rj)£)-right disperser and 
D = (£> 1 ,..., Df) £ {0,1}”^ be a random variable of min-entropy pin. Then, 
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there exists a simulator S G TM^,p og?+loe » such that for every adversary A G 
(D(D 'hi) hh 

TM a q ’ operating on the key key = Disperse^ (D,n), the output distributions 
satisfy: 

(Output(„4(key)), Z)) ~ e (Output(S(_4)), D) 

for e = 0(£ 2 ■ 2~h-), q = 2°^ ‘and any /3 satisfying p — > (3 > 4?y. 

In order to give a proof, we shall construct a machine S such that for any ad¬ 
versary ^4(Disperse^ (£>,%)) G the result of 5(^4) is indistinguishable 

from >4(A') conditioned on D. We precede the construction by an essential trans¬ 
formation of random oracles and leakage functions, which plays a role of random 
oracle re-programming. 

Definition 7 (Twisted random oracle). Let TL be a random oracle and L = 
((arg 1; iu),..., (arg fc , Ufc)) be a list of pairs of an argument arg, ; together with a 
potential value Vj. We define a twisted random oracle P{L} to be an oracle whose 
operation is described as follows: 


U{L}{q) = 



if q = arg 4 for some i 
otherwise. 


In particular, given a random variable D, a random oracle TL and a random vari¬ 
able I\ = (K\,..., Kf) G {0, l} in , by TL{D AT} we denote a random oracle 
TL{((D a i ... D^degto, Ki))i=i..x}- Observe that if K ~ U( n is independent of TL 

then the distributions ofTL{D A'} and TL are the same. 


Construction of the simulator The operation of S [A) , based on the description 
of A, consists of the following steps described in Fig. 4. 


Before giving a formal proof of statistical indistinguishability of output distribu¬ 
tions, we give some claryifing remarks about consecutive steps of the construction. 
Firstly, we should emphasize that in Step (2) we crucially use the properties of our 
leakage model by querying leakage oracle with potentially non-polynomial function 
simulating whole behaviour of A. Secondly, observe that in Step ( 2 ) the simulator 
leaks only the indices of queries, not their actual arguments as those can be observed 
during Step (3) of simulation. Thirdly, note that in Step (3a) we need not perform 

any additional leakage apart from the value of /, as f{D A"} can be obtained 
inside the leakage query as in Step (2). Therefore the leakage excess consists merely 
of the list indices _4 and consequently AX = | indices^ (log q + logf). 

Proof (Proof of Theorem 2). We shall now argue that the simulator S constructed 
above satisfies the requirements of Theorem 2 for any adversary A. Concretely, 
we prove that S perfectly simulates the execution of any adversary A, unless 
|indices^| > £ e . Therefore, for any adversary A the output’s distribution of 5(^4) 
satisfies: 

(Output(„4(A')), £>) w e (Output(S(_4)), D), 
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Implementation of the simulator S. 

1. S initializes a random oracle T-i, i.e., creates a table 'H of uniformly random 
values associated to all inputs of T~i (or use OracleQueryList). Moreover, it 
draws a random variable K <— Ut n . 

2. S initializes the random tape of A to a fixed sequence of uniformly random bits 

and then queries the leakage oracle with the Turing machine ind : {0,1 —» 

{0,1}* which operates as follows: 

Operation of ind: 

Description of the function Simulate the execution of A(K) 
step by step with random oracle queries substituted with 
H {D K}. Every time the adversary A issues a leakage ora¬ 

cle query given by a Turing machine /, the simulator S provides 
her with a result of a twisted leakage function f{D K }, i.e., 
a Turing machine with all random oracle queries substituted 
with H{D -^4 K}. 

Result The list indices^. Returns indices _4 if its length satisfies 
jindices^| < f e , or T otherwise. 

Complexity Leakage: indices^ (log q + log i) 


3. S executes A(K) with a previously initialized (see Step (2)) random tape and 
T~i sampled above (see Step (1)), and then runs it step by step with the following 
exceptions: 

(a) When A issues a leakage query given by a Turing machine /, the simulator 
S substitutes it with a twisted leakage function f{D K}. 

(b) 5 keeps track of the number k of random oracle queries issued to T~L and 
every time it appears in a pair ( k , ik) 6 indices_ 4 , replaces the value returned 
by T-L with Ki k . Moreover, it stores the arguments at of queries appearing 
in the list indices^ and substitutes the value of with Ki k every time a*, 
appears as an argument. 


Fig. 4. Implementation of Simulator 

where e = Pr(jindices_/i| > £ e ). Firstly, note that the execution of A inside the 
leakage function ind u (see Step (2)) is perfectly equivalent to an honest execution of 

A as H{D K} is distributed equally to H. Consequently, the actual simulation 
given in Step (3) differs from a perfect simulation only by the condition on | indices^, 
as its perfectly equivalent to the one performed during simulators leakage phase. 
This condition forces the return of _L instead of appropriate indices _4 with probability 
Pr(|indices_ 4 | > £ e ) = e. Consequently, we bound e by a factor negligible (in a certain 
sense) in the security parameters. Directly by applying Lemma 4 for an adversary 
A we see that: 

e = Pr(|indices_ 4 | > £ e ) = 0(i 2 ■ 

This completes the proof. 
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6.4 Security of Disperse 


Again, based on one-wanness of Disperse we prove that our function satisfies the 
security requirements. We have the following: 

Theorem 3 (Security). Let Game = (C, id, Setup ch , Setup Adv , Execute) 3 be an e- 

secure game based on randomness K ~ U n i for the class of adversaries 
then for every t d -regular ( l e , (1 — rj)H) -disperser Q a , /3 satisfying P — > /? > 4ry 

and q = 2°^ the game GameDisk = (C, Disperse^, Setup Ch , Setup Adv , Execute) 
based on randomness (D,TL) of min-entropy H oo{D) = pin is e+0(£ 2 -2^ : r~ )-secure 
for adversaries in where A\ = f e (log q + n). 

Proof. Here, we omit the proof as it is technical and its main idea is analogous 
to the one presented in the proof of privacy. For the details see Appendix A.3. 
The high-level idea is to use reduction and apply Lemma 4 to bound the success 
probability. 
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A Proofs of lemmata and theorems 

A.l Technical lemma 

Here, we state a technical lemma that is a broad generalization of Lemma B.l given 
in the work by Dziembowski, Kazana, and Wichs [13] and leads us to the proof 
of the main part of our work, i.e., Lemma 4 and its consequences. The statement 
may not look very interesting on its own: it is rather a wrapper for Corollary 2 and 
Corollary 3 stated in such a way that it will be directly used to prove Lemma 4. 
Similar idea was originally used in [13]. 

We start with a definition of a Guessing game which is tailored to be used in 
proof of Lemma 4 (intuitevely it describes exactly skills of adversary what we will 
deal with later). 

Definition 8. Let (X,TL) be random variables. A Guessing game against adversary 
A consists of the steps described in Fig. 5. 


Guessing game for adversary A. 

Input: random variables ( X , H ), where X = (Xi ,..., Xf) and % = (H Vl ,..., H VN ) 
for some parameters £,N and labels Vi. a Furthermore we declare ki,k 2 , leakage 
parameter ALeak and p such that X has min-entropy at least pi log N. 

Leakage phase: 

1. A issues a leakage query Leak(Xi,..., Xi,H) of length ALeak- 

First phase: 

2. A adaptively queries F by submitting a label v and receiving T~L V . 

3. A chooses a subset of indices Si C [f] of size k\ along with the guesses for all 
values (Xj\j e Si). 

Second phase: 

4. A receives all values of {Xi\i Si}, i.e., all blocks that she did not try to guess. 

5. A outputs a subset of labels S 2 C {t';}i=i..iv of size which were not previously 
(i.e., in the first phase) queried along with guesses for all values (H v \v 6 S 2 ). 


“ The values of Xi should be considered as certain T-L labels. 

Fig. 5. Definition of Guessing game 
Lemma 5. Let (X^ ..., Xf, T-L) be a random variable such that: 

1. (Xi,... ,X() and % are independent, 

2. Li is a vector of random independent N = 2 Sn blocks of length n, 

3. each Xi is n bits long, 

4- HUXr,... , Xf) = pin for some 0 < p < 1. 

Now let A be a randomized algorithm playing Guessing game with ALeak = An. Then, 
the probability that A outputs all correct guesses (in both phases) is at most 

2 ~ en _|_ 2 — (^ n— 1) _|_ > 2 —/3n/4 _|_ 2-n((p-/3)-£-A-e-4<5+fc 2 ) 

if ki > l — and p£ < N, for any e > 0 and f3 < p. 
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Proof. Let X = (Xi ,... ,Xi) and E be the list of all answers to q queries made 
by A in the first phase, and observe that \E\ = qn. In this proof we deal with the 
distribution: 

(X, n\Leak(X, U) = l,E = e) 

and apply the chain rule for it. Firstly, notice that by Lemma 1 with probability 
not less than 1 — 2~ en we have that: 

H oc (X,’H|Leak(A', T-L) = l, E = e) > p£n+Nn—Ai jea ] i —\E\—£n = n (pi + N — A — q — e). 

By Corollary 1 for A = 26 we get that (with probability at least i_ 2 -^n-\o g { P i+ N -x- q -e)) > 
i - 2 - ( zira-lo s( Ar ) -1 ) > 1 - 2~( Sn ~P by the assumption pi < N ): 

Hoo(X|Leak(X, H) = l,E = e ,Hint = h) + H oc (IL|X,Leak(X, U) = l,E=e, Hint = h) > 

>n(pi+N — A — q~£ — 4 6 ) 

So, either: 

H 00 (A'|Leak(X, Ti) =l,E = e,Hint = h) > (3ln (11) 

or: 

Hoo(%|X, Leak(X, H) = /, E = e, Hint = h) > n (p£ + N — X — q — e — 45 — /3£). 

( 12 ) 

Now, as k\ > i— i\ from Lemma 6 we know that the probability of all correct 
guesses in the first phase in case (11) is less then 4 £ 2 • 2 _/3 ” ,/4 . On the other hand, 
in case ( 12 ) we denote by w i,... ,w q +k 2 the labels of all queries conducted in the 
first phase together with the list of &2 guesses from the second phase. Then, the 
probability of all correct guesses in the second phase is less then 

2 -H x ,('H- wl ,'H W2 ,...,'H Wq+ko |Leak(Jf,W)=i,B=e,Hint=0 

After setting Ei i£ ^ to be the event (Leak(X, 'H) = l, E = e, Hint = h) and H to be 
the complement of l~L Wl , 7-L W2 > • ■ •, by Lemma 1 we see that: 

Hoo (H Wl ,H W2 ,... ,T-L Wq+k2 \Ei,e,h) > Hq c('H Wi ,'H W 2 , ■ ■ ■ ,T-t-w q+k2 |H; Ei t£:h ) 

= Hoo(H|H; E lieih ) > Hoo(H\E lieth ) - \H\ 

= H 00 (H\E l , e , h )-(N-q-k 2 )n 
= n (pi + N — A — q — £ — 45 — /3£ — N + q + kf) 

= n (pi — A — £ — 46 — Pi + £ 2 ). 

Therefore, by the union bound the final probability is bounded by: 

2~ £n _|_ 2 - ( <5n_1 ) -|_ 4£ 2 . 2 _|_ 2 - n ((p-/ ? )^- A - £ - 45 + fc 2 ) 

Remark 8. Note that in the above reasoning we assumed that A learns Leak(A', Ti), 

E and Hint (cf. conditions in (11) and (12)). This might be confusing since in the 
definition of Guessing game we assumed that only Leak(X, R) and E are learned. 
However, any additional input may only increase the probability of winning in any 
game. Therefore, the statement is proven. We believe that such reasoning (“addi- 
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tional information may only help”) is the major motivation for our definition of 
spoiling knowledge chain rule for min-entropy. 

Lemma 6 . Let X = (Xg,..., Xi) be a sequence of (possibly dependent) random 
variables distributed over {0,1}". Now let A be a randomized algorithm that ob¬ 
tains a leakage Leak(A') as an input and consequently outputs a subset of S C 
{1,...,/} along with guesses for all values {Xi\i £ S'}. Now, if |S| > £ — |_§£\ and 
H oc (X|Leak(X)) ^ / 3In, then the probability that A outputs all correct guesses is 
at most: 

4£ 2 ■ 2 _/?n/4 . 

Proof. Here we just use Corollary 3: after learning Leak(X) and Hint(A') with 
probability at least 1 — 4£(£ — 1 ) 2 _/3 "/ 4 there are at least |_f £\ blocks of min-entropy 
of at least (in/ 4. The algorithm A is supposed to guess more than l — |_ff| blocks so 
at least one block with min-entropy fdn/4 is supposed to be guessed. This happens 
with probability at most 2 -/3 "/ 4 and therefore by the union bound and the inequality 
4i(£ — 1 ) +1 < 4£ 2 we obtain the claim. As described in remark above, here we also 
assume that A learns both Leak(A) and Hint(A). 

A. 2 Proof of one-wayness of Disperse 

Here, we shall use the Guessing game defined in Appendix A.l. For a random oracle 
query b £ { 0 , l} e n+Iogf we denote by b[i ] (for i > 0 ) an i-th n-elementary block of 
b and by 6 [ 0 ] the (logf)-elementary block i.e. b = ( 6 [ 0 ], 6 [ 1 ],..., b[£ d }). 

Lemma 7 (One-wayness of Disperse). Let Q a be a £ d -regular (£ e , (1 — r])£)-right 
disperser and D = (D i,..., Df) £ {0, l}" f be a random variable of min-entropy pin. 

Then, for any i sufficiently large the probability that an algorithm A(Disperse e ^ ( D , TL)) £ 

makes at least £ e different bad queries satisfies Pr(|indices_ 4 | > £ e ) = 
0(£ 2 2 - ^"/ 4 ) for any (i satisfying P ~ > P > 4?7 and q = 2 °^ 1 e i". 

Proof. Given an adversary A such that its associated list indices^ is longer or equal 

to i e with probability £ we construct a player Va hi game Guessing (x 1 ,...,x e ).n (.P, &i, ^ 2 - ALeak) 

for 

(A 1 ,...,X e ) = (D 1 ,...,D e ); 

k\ = (1 — r\)£ > £ — [_—; satisfied for £ large enough by the assumption on (i 

k 2 = £ 

ALeak = A + n£ + £ e (log q + log £), 
winning with probability (. Therefore, we conclude that 

£ < 2 -e " + 2 _ ^ d " +los ^ _1 ) + 4£ 2 ■ 2~d n / 4 _|_ 2 _ "((p _ ^ _ k)^ _ ~ 

by Lemma 5 in Appendix A.l. The detailed construction of Va is described in 
Fig. 6 . 
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Implementation of a player Va- 
Learning phase: 

1. Player Va leaks £ values (D[,..., D' e ) = 

(h( 1, D a i ... ... ,H(£, D a e ... D a i^j from a leakage oracle O; 

2. initializes adversary A £ feeds her with D [,..., D (, then submits 

her to the leakage oracle O a to get a hint Leak(D,7t) containing: 

— the results of all leakage queries by A; 

— a list indices' of at most £ e first items of list indices^ 

Game phase: 

The adversary A is now executed with the following recipe for answering to leakage 
and oracle queries: 

1. The answers to leakage queries are obtained using Leak(D,%). 

2. The random oracle queries are obtained using T~L with an exception of elements 
■H(j, D a j ... D a i ) given in Leak(D, H). 

1 gd 

First phase 1. Everytime A issues a bad oracle query (ik,D i k ,..., D i k ) whose 

1 gd 

index k appears on the list indices' the player Va adds elements D i k to its 

a j 

list of guesses. 

Second phase 1 . Va guesses random oracle queries leaked in the first item of 
Learning phase. 

“ submitting A(D[,..., D' e ) to O means that O gets a description of Turing Machine 
realising A along with input tape containing D [,. .., 

Fig. 6. Implementation of a player Va 

The first step is to show that a player Va follows the rules of the game: 


Guessing ( Dl ,...,D e ),n ( P, (1 - rj) ■ g, £, A + nt + £ e (log q + logf)) . 


For this sake, we show that: 

— Length of hint ALeak = |Leak(Di,... 1 D(,'H)\ is not greater than leakage A of 
the adversary A along with nt bits needed to feed the A and t e (log q + log £ ) to 
handle bad queries. Hence ALeak = A + nt + f e (log q + log £). 

— Rules of the game requires that k\ > £ — , which follows from the assump¬ 

tions on j3. 


Now, we need to show that Va'- a) guesses at least Aq elements in the first phase 
with probability £ and b) guesses A ’2 = £ elements in the second phase. The claim 
b) follows from directly from the definition of Leak(H,'H). Namely, Leak(U,'H) 
contains the values of D a i ... D a i ) for i = 1 ... £ which are explicitly prohibited 

1 gd 

from being queried (Item 2 of the Game phase) and therefore can be guessed in the 
Second phase of operation of Va- In order to prove a) we use the fact that every 
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bad query leads to the capability of guessing £ d associated s and apply the 

3 

properties of disperser graphs. More precisely, by the assumptions on A the length of 
indices' is equal to £ e with probability £. In this case, the neighbourhood of vertices 
labeled with indices' = {ii,... consists of at least (1 — rj)t elements (using 
basic property of disperser Q a ) and therefore the elements for j £ {1,... ,£ e } 
and k £ {1,... ,£ d } can be guessed in the First phase of operation of Va- 

This leaves us with the proof that under our assumptions the value 2~ en + 
2-^n+logf-l) + 4£ 2 . 2-/W4 + 2 -^(p-/3-^- £ ^ ± ^- e -4(^+ 1 ^)) ig j n fact 

equal to 0(4£ 2 ■ 2 _ ' Sn / 4 ). This follows from simple observations that: e is arbitrary, 
£ d > r(iogg+iog<!) _ £ _ 4 ^d + loElj = ( here we use q = 2°(^ 1 “'>) and 

o" 


A. 3 Proof of security of Disperse 

Theorem 4 (Security). Let Game = (C, id, Setup ch , Setup Adv , Execute) 4 be an e- 

secure game based on randomness K ~ U n i for the class of adversaries 
then for every t d -regular ( £ e , (1 — rf)£)-disperser Q a , f) satisfying p — > ft > 4p 

and q = 2°^ 1 <4n _ g ame GameD is i; = (C, Disperse^, Setup Ch , Setup Adv , Execute) 
based on randomness (H,7t) of min-entropy p£n is e + 0(£ 2 ■ 2~ J r~ )-secure for ad¬ 
versaries in where A\ = £ e (log q + n). 


Proof. The proof will be based on reduction. For the sake of contradiction, we as¬ 
sume that there exists (efficiently samplable) random distribution D of min-entropy 

pn£ and a GameDisk-adversary A £ such that: 

^Pr^GameDiskl-d ^ C,key' £- Dispers eg <r (D,7i)\ = Accept) > e' = e+Pr(|indices^i Iiitariial | > £ e ). 

Using A as a component, we construct an adversary A' £ TM^ A ' contradicting 
(e, TM 0 *-"^-security of Game based on randomness K. Its description is given in 
Fig. 7. Note that we shall freely use the twisted random oracles defined in Defini¬ 
tion 7. 

To finish the proof we need the following claims. 

Claim (Simulation). The execution of G' := Game[A' *=? C,key £- AT] based on ran¬ 
domness K is in fact a simulation of G := Game[Ai n ternai *=? C, key' ■£- Disperse^ (D , H{D 
A'})] executed on mock randomness (D,7£). 

Proof. Firstly, observe that the key K is equal to Disperse^ (D, T~L{D AT}) 

(by definition of T~L{D -^4 AT}) and therefore the input of C in G' is equal to 

Setup ch (Disperse gCT (D,'H{D A'})) as in G. Moreover, all the messages send 
by A' are in fact produced by game G adversary Ai n t e rnai and therefore the only 

4 id denotes the identity mapping 
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difference is that the leakage and random oracle queries of ^internal are not processed 
honestly but simulated by means of leakage of A' described in steps (3a) and (3b) 
in Fig. 7. 

Claim (Simulation’s correctness). The simulation above is faithful (i.e., A' works 
the same as corresponding ^internal) unless _L is returned in part (3c) of simulation. 
This occurs with probability £ = Pr(|indices| > £ e ) and therefore 

Pr(^4i nte rnai is faithfully simulated) = 1 — Pr(|indices| > i e ) = 1 — £. 

Proof. The first part concerning simulation correctness is clear from the construc¬ 
tion. More precisely, the difference between messages of honest ^internal and A! 
occurs only if the restriction A on the size of leakage (see (3c)) intervenes. There¬ 
fore we are left to prove that Pr(T is returned in (3c)) = £. This follows directly by 
applying Lemma 4 for Asternal ■ 

Claim (Leakage bound). The total leakage of A! during the execution of Game^' ^=, 
C, key K) does not exceed A bits and consequently A! belongs to TM°* A '. 
Proof. Clear, as we have explicitly bounded the leakage inside A' (see (3c) in Fig. 7). 

All above claims prove that A! is an efficient adversary for Game which succeeds 
with probability: 

Pr(G' = Accept) ^ Pr(G = Accept and Ai n t er nai is correctly simulated) (13) 

> Pr(G = Accept) + Pr(Ai n temai is correctly simulated) — 1 

(14) 

= £' +( 1 - 6-1 = ( 15 ) 

where in line (13) we used (Simulation) claim and in (15) we used the fact that the 
distributions (0,1-1) and (D,'H{D K}) are the same and therefore 

Pr(G = Accept) = Pr(Game[A *=? C,key Disperse^ (D, H)] = Accept) = s', 

and moreover that Pr(Ai„ternai is correctly simulated) = 1 — £ by Claim (Simula¬ 
tion’s correctness). 

This contradicts the (e, TM^^^-security of Game and consequently gives a 
proof of the theorem as by Lemma 7 the probability Pr(|indices^ 4 Interiial | > l e ) = 
0(£ 2 ■ 2 t ). 

B Disperser graphs 

Here, we present some structure theorems concerning so-called disperser graphs, 
which allows us to amplify privacy and security properties of the above construc¬ 
tions. We do not claim originality of the upcoming considerations. Similar argu¬ 
ments appear for example in [18,26]. Despite this, we were not able to find the 
results of Corollary 4 in literature. Let Q = ( V , E ) be an undirected graph with 
the set of vertices V and edges E. For a subset S C V by N(S) we denote 
{w; € V : 3 se s(s,w) £ E}, i.e. the set of all neighbours of S. We say that a 
bipartite graph Q = (V° LI H 1 ,^) is right d-regular if all vertices in V 1 have the 
same degree d. 
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Definition 9 ((fc, e)-extractor). We say that a function Ext : {0,1}" x {0, l} d —► 
{0, l} m is an (k, e)-extractor if for any random variable X of min-entropy H oc (X) > 
k and S ~ Ud we have Z\(Ext(X, S), U m ) < e. 

Definition 10. A bipartite graph Q = (V 0 U V l ,E) is a right (K,L )~disperser if 
for every set S C V 1 such that |S| = K the neighbourhood N(S) satisfies 

\n(S)\>l, 

i.e. the sets of size K expands into sets of size at least L. 

We shall use the following simple lemma which describes expansion properties 
of bipartite graphs. 

Lemma 8. Let Q = (V° U V X ,E) be a bipartite right (K, L)-disperser. Then for 
every set S C V 1 such that |5| ^ K and every subset T C V° of size |T| < L the 
set N(S) is not contained in T. 

Proof. This is a direct counting. Take S' C S of size equal to K. The size of N(S) 
then satisfies: 

|7V(S)|>|iV(S')|=£. 

which finishes the proof. 

In order to instantiate the above considerations, we need the following correspon¬ 
dence between dispersers and randomness extractors. Observe that every function 
/ : {0,1}" x {0, l} m —> {0,1}" corresponds to a right 2 m -regular bipartite graph 
Qf = ( Vf,Ef ) defined by: 

V f = V° U V] for Vf = V/ = {0,1}” (16) 

Ef = {(v 0 ,o) : 3 ee { 0) i}m/(wi,e) = u 0 } . (17) 

It turns out that randomness dispersing properties of / are closely related to the 
vertex expansion of Qf. Namely, the following theorem holds. 

Proposition 2. (see [26], Proposition 6.20) Let D : {0,1}" x {0, l} m —> {0,1}™ be 
a function such that for any random variable X £ {0,1}” of min-entropy H^X) ^ 
Sn and E distributed uniformly on {0, l} m , the statistical distance A(D(X, E), U n ) 
is less or equal to e. Then for every S, a subset of right side of a bipartite graph 
Qd — (Yd LI Vd>Ed) of size 2 Sn the neighbourhood N(S) satisfies 

\N(S)\>(l-e)-2 n , 

i.e. the graph Qn is a right 2 m -regular ( 2 Sn , (1 — e) ■ 2”) -disperser. 

Proof. Take S a subset of {0,1}” of size 2 Sn , X$ a random variable distributed 
uniformly on S and E distributed uniformly on {0, l} m . Observe that H oc (Xs ) ^ 6n 
and therefore, by assumptions concerning D, the inequality A{D{Xs,E),U n ) < e 
holds. Moreover, we see that Pr {D{Xs,E) = s) ^ 0 exactly for s £ X(S), so 
A(D(X , 5), U n ) ^ (2 n — |1V(S)|) • jL.. Combining these two inequalities we obtain 

£ > A{D{X s ,E),U n ) > (2™ - liV(S')l) • i, 
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which is equivalent to the proposition. 

The existence of an efficiently computable function Ext (we require efficient 
computability in order to instantiate Qex t effectively), satisfying the assumptions of 
Proposition 2 follows from the result proven in [16]: 

Theorem 5 (see [16], Theorem 1.5). For every constant a > 0 and all positive 
integers n,k and all e > 0 , there is an explicit construction of a (k,e)~extractor 
Ext : {0,1}" x {0,1} S —> {0, l} m with s = 0(\ogn + log(l/e)) and m ^ (1 — a)k. 

More precisely, for any 77 > 0 we take an ((I+ 77 ), e)-extractor Ext : {0, l}( 1 +T'+ I ') n x 
{0,1} S —> {0,1}" which corresponds to the choice a = in above Theorem 5, and 

interpret it as a function Ext : {0,1}" x {0, l}(v+’7) n +- s —{ 0 , 1 }™. Then, taking X £ 
{0,1}” of min-entropy Hoo(X) > ( 1 — 7)71 we see that zl(Ext(X, U^ +V ) n+S ), U n ) <e 
and therefore we may apply Proposition 2 to obtain a 2( 7+I, )” +s -regular (2( 1-7 )”, (1— 
e) ■ 2 ")-disperser. As 77 might be chosen arbitrarily and s = 0(logn + log(l/e)) we 
obtain: 

Corollary 4. For any e > 0 and c > 0, there exists n c £ N such that for n > n c 
and ( d , k) such that d ■ k > 2 < ' 1+c ' )n , there exists an effectively computable bipartite 
right d-regular graph which is a right (k,( 1 — e) • 2 n )-disperser. In particular, for 
any a > \ and I = 2” sufficiently large there exists a bipartite right £ a -regular 
(Vi, (1 — e) ■ £)-disperser. 

Proof. Apply Proposition 2 and the above discussion after Theorem 5. 


C Proofs of auxiliary facts 

Proof (Proof of Proposition 1). Let u 7 be a shorthand for \_j~V~P\- Assume the 
opposite, i.e., there exist £ — numbers Xi smaller than 771 . Then, 

j3 — 'y 

xi + - ■ -+X( < u 7 n+(£—u 7 )jn = ((l — v)u J +j£)') ■n < ((1— 7 ) --+ 7 ) -in = (3£n , 

which contradicts the fact that all 27 sum up to pin. 
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Implementation of A'. 

Input: The adversarial data Setup Adv (A) on K sampled from ~ U n t (cf. step (1) 
in Fig. 1). 

Setup phase: 

1. A mock random variable D is sampled from the distribution V. An efficient 
data structure OracleQueryList for the on-the-fly storage of random oracle 
A queries is prepared. 

2. An internal version ^internal of Gameoisk adversary A is initialized and given 

Setup Adv (A) = Setup Adv (Disperseg^(D, H{D A'})) 

as input (as in Game[yl Interna i ^ C,key' <— Dispers eg t7 (D,'H.{D A'})]). 

Execution phase: 

3. Every time A! is provided with a new message msg^, (including the one initial¬ 
ized with the 0-th message _L), she performs the following steps: 

a) performs getlndices() leakage: 

getlndices() leakage 

Result The list indices containing pairs ( i , m) of an index i and a result Vi of 
^internal’s bad random oracle query (cf. Definition 6) conducted during 

its operation in Game[Ai n ternai ^ C.key' Disperse^ (_D,A{.D 
A })] when provided with msg d , before sending the next message. 

Description of the function Just simulate the behaviour of ^internal and 
check whether random oracle queries are bad or not. 

Complexity Leakage: |indices| ■ (logg + n), time: the same as ^internal op¬ 
eration 

b) simulates the behaviour of ^internal with the following recipe for answering 
leakage and random oracle queries: 

How to reply to leakage and random oracle queries? 

Random oracle queries If the index i appears in one of the pairs in the list 
indices leaked above then return i>, : otherwise look up OracleQueryList 
and answer with a value from there or a random element drawn from 
U n . In any case, add the whole query to OracleQueryList. 

Leakage queries We answer a leakage oracle query / described by a 
circuit containing 0(D,A) queries by the same circuit containing 
0(D,'H{D A'}) instead. Note that in order to substitute all bad 

queries of A by A {D A'}), we just need to access D , A and 0(K ) 
which are all given to A' ■ 

Complexity Leakage: same as ^internal’s, time: same as ^internal’s up to 
time necessary for OracleQueryList look ups. Bounded by A — A\. 

c) if the total leakage equal to A — A\ + |indices| • (log q + n) exceeds A then 
terminate with _L; 

d) returns the message prepared by ^internal- 


Fig. 7. Implementation of A! 
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